From patchwork Wed Feb 17 13:58:26 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adolf Belka <adolf.belka@ipfire.org>
X-Patchwork-Id: 3894
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature RSA-PSS (4096 bits))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4DgfZF2t4jz3wps
	for <patchwork@web04.haj.ipfire.org>; Wed, 17 Feb 2021 13:58:29 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4DgfZD3MLszl9;
	Wed, 17 Feb 2021 13:58:28 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4DgfZD1sr9z2yCB;
	Wed, 17 Feb 2021 13:58:28 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature RSA-PSS (4096 bits))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4DgfZC5bSNz2xF1
 for <development@lists.ipfire.org>; Wed, 17 Feb 2021 13:58:27 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4DgfZC0GMgzYk;
 Wed, 17 Feb 2021 13:58:26 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1613570307;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=qHgVI053hQj+hNKkEeRg/M9C+dNVkvw+FOU4BpAymvY=;
 b=aIq44ZsHt/Y8B4OW7p3/x3sU4pOtmwfbmNMkTxFRPxct6Wd2+IAYnI02gw3yvsqpLj/36A
 B0ep8JNWHS45OZBw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1613570307;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=qHgVI053hQj+hNKkEeRg/M9C+dNVkvw+FOU4BpAymvY=;
 b=oNiitFSZBEh+zfMdj2MpG+c8CErqnRi/hYBp+qJe/XMrkxMOiGa8YVL0ZipoAjBCxQKXAO
 ddtFj5U1TLe3S910O2s8Dozej+dctZNFJwRu95sGUfFHHrshUTlaoUOaocRSLREornyGrV
 JTJ/YOkWMTyoKkWcW/MO0wVromGUV77sC3/ExvhqzWIsdXwbLG6SOJE09tQjLsMnTjSLCf
 DgRdiGdCTew7iCTGQZGvjQa31ncYMc+t8HiPPCKp2H9WjM3+8XVqJ37uBtMmFEUNpqwWDh
 /rG/YKYvUrh7N+eHihE7SwRfEyoWWpVzALTDQ3Iirkcxz/Y4PWsVno/TGIFurA==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] bug#10629: Prevent dynamic and fixed leases overlapping
Date: Wed, 17 Feb 2021 14:58:26 +0100
Message-Id: <20210217135826.3705690-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

- This is a fix for bug #10629
- I have tested this out on my vm testbed system. Everything worked fine
  with this. It would be good to get other test feedback in case I have
  missed something.
- This fix flags up if a fixed lease is created within the existing dynamic
  range
- This fix also works if a dynamic lease is converted to a fixed lease. A
  new IP outside the dynamic range has to be selected.
- A check has also been added if the dynamic range is modified to overlap
  any existing fixed leases. The error message will also inform how many
  fixed leases are now overlapped by the modified dynamic range.
- If an interface is disabled and fixed leases within the dynamic range
  created or the dynamic range expanded to overlap with existing fixed
  leases, then when the interface is enabled again the check is carried
  out and catches these and prevents them being set.
- New error messages added to en.pl file

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/cfgroot/general-functions.pl | 18 ++++++++++++
 doc/language_issues.de              |  2 ++
 doc/language_issues.en              |  2 ++
 doc/language_issues.es              |  2 ++
 doc/language_issues.fr              |  2 ++
 doc/language_issues.it              |  2 ++
 doc/language_issues.nl              |  2 ++
 doc/language_issues.pl              |  2 ++
 doc/language_issues.ru              |  2 ++
 doc/language_issues.tr              |  2 ++
 doc/language_missings               | 24 ++++++++++++++++
 html/cgi-bin/dhcp.cgi               | 43 +++++++++++++++++++++++++++++
 langs/en/cgi-bin/en.pl              |  3 ++
 13 files changed, 106 insertions(+)

diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl
index a6656ccf5..a8c8d171c 100644
--- a/config/cfgroot/general-functions.pl
+++ b/config/cfgroot/general-functions.pl
@@ -591,6 +591,24 @@ sub check_net_internal_exact{
 	if (($ownnet{'RED_NETADDRESS'} 		ne '' && $ownnet{'RED_NETADDRESS'} 		ne '0.0.0.0') && &Network::network_equal("$ownnet{'RED_NETADDRESS'}/$ownnet{'RED_NETMASK'}", $network)){ $errormessage=$Lang::tr{'ccd err red'};return $errormessage;}
 }
 
+sub ip_address_in_ip_range($$) {
+# Returns True if $ipaddress is within $ipstart and $ipend range.
+	my $ipaddress = shift;
+	my $ipstart = shift;
+	my $ipend = shift;
+
+	my $ipaddress_bin = &Network::ip2bin($ipaddress);
+	return undef unless (defined $ipaddress_bin);
+
+	my $ipstart_bin = &Network::ip2bin($ipstart);
+	return undef unless (defined $ipstart_bin);
+
+	my $ipend_bin = &Network::ip2bin($ipend);
+	return undef unless (defined $ipend_bin);
+
+	return (($ipaddress_bin >= $ipstart_bin) && ($ipaddress_bin <= $ipend_bin));
+}
+
 sub validport
 {
 	$_ = $_[0];
diff --git a/doc/language_issues.de b/doc/language_issues.de
index 5d079036a..cb3e89b2e 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -840,6 +840,8 @@ WARNING: translation string unused: zoneconf val vlan amount assignment error
 WARNING: translation string unused: zoneconf val vlan tag assignment error
 WARNING: translation string unused: zoneconf val zoneslave amount error
 WARNING: untranslated string: desired = Desired
+WARNING: untranslated string: dhcp dynamic range overlap = Dynamic range overlapped with 
+WARNING: untranslated string: dhcp fixed ip address =  Fixed IP Address(es)
 WARNING: untranslated string: disable = Disable
 WARNING: untranslated string: enable = Enable
 WARNING: untranslated string: error the to date has to be later than the from date = The to date has to be later than the from date!
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 6e30eb995..832ff8d92 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -582,6 +582,8 @@ WARNING: untranslated string: dhcp dns key name = Key Name
 WARNING: untranslated string: dhcp dns update = DNS Update
 WARNING: untranslated string: dhcp dns update algo = Algorithm
 WARNING: untranslated string: dhcp dns update secret = Secret
+WARNING: untranslated string: dhcp dynamic range overlap = Dynamic range overlapped with 
+WARNING: untranslated string: dhcp fixed ip address =  Fixed IP Address(es)
 WARNING: untranslated string: dhcp server = DHCP Server
 WARNING: untranslated string: dhcp server disabled = DHCP server disabled.  Stopped.
 WARNING: untranslated string: dhcp server enabled = DHCP server enabled.  Restarting.
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 82d65d99c..b65ecd164 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -893,6 +893,8 @@ WARNING: untranslated string: dhcp dns key name = Key Name
 WARNING: untranslated string: dhcp dns update = DNS Update
 WARNING: untranslated string: dhcp dns update algo = Algorithm
 WARNING: untranslated string: dhcp dns update secret = Secret
+WARNING: untranslated string: dhcp dynamic range overlap = Dynamic range overlapped with 
+WARNING: untranslated string: dhcp fixed ip address =  Fixed IP Address(es)
 WARNING: untranslated string: dhcp valid range required when deny known clients checked = Valid range required when "Deny known clients:" is checked
 WARNING: untranslated string: disable = Disable
 WARNING: untranslated string: disconnected = Disconnected
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index 942be73ec..71de90bd7 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -880,6 +880,8 @@ WARNING: translation string unused: zoneconf val vlan amount assignment error
 WARNING: translation string unused: zoneconf val vlan tag assignment error
 WARNING: translation string unused: zoneconf val zoneslave amount error
 WARNING: untranslated string: dhcp deny known clients: = Deny known clients:
+WARNING: untranslated string: dhcp dynamic range overlap = Dynamic range overlapped with 
+WARNING: untranslated string: dhcp fixed ip address =  Fixed IP Address(es)
 WARNING: untranslated string: dhcp valid range required when deny known clients checked = Valid range required when "Deny known clients:" is checked
 WARNING: untranslated string: fwhost cust locationgrp = unknown string
 WARNING: untranslated string: fwhost err hostip = unknown string
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 98074e59f..a4cd8c5db 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -917,6 +917,8 @@ WARNING: untranslated string: dhcp dns key name = Key Name
 WARNING: untranslated string: dhcp dns update = DNS Update
 WARNING: untranslated string: dhcp dns update algo = Algorithm
 WARNING: untranslated string: dhcp dns update secret = Secret
+WARNING: untranslated string: dhcp dynamic range overlap = Dynamic range overlapped with 
+WARNING: untranslated string: dhcp fixed ip address =  Fixed IP Address(es)
 WARNING: untranslated string: dhcp valid range required when deny known clients checked = Valid range required when "Deny known clients:" is checked
 WARNING: untranslated string: disable = Disable
 WARNING: untranslated string: disconnected = Disconnected
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 8eebbd57f..9cef4790e 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -918,6 +918,8 @@ WARNING: untranslated string: dhcp dns key name = Key Name
 WARNING: untranslated string: dhcp dns update = DNS Update
 WARNING: untranslated string: dhcp dns update algo = Algorithm
 WARNING: untranslated string: dhcp dns update secret = Secret
+WARNING: untranslated string: dhcp dynamic range overlap = Dynamic range overlapped with 
+WARNING: untranslated string: dhcp fixed ip address =  Fixed IP Address(es)
 WARNING: untranslated string: disable = Disable
 WARNING: untranslated string: disconnected = Disconnected
 WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip)
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 82d65d99c..b65ecd164 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -893,6 +893,8 @@ WARNING: untranslated string: dhcp dns key name = Key Name
 WARNING: untranslated string: dhcp dns update = DNS Update
 WARNING: untranslated string: dhcp dns update algo = Algorithm
 WARNING: untranslated string: dhcp dns update secret = Secret
+WARNING: untranslated string: dhcp dynamic range overlap = Dynamic range overlapped with 
+WARNING: untranslated string: dhcp fixed ip address =  Fixed IP Address(es)
 WARNING: untranslated string: dhcp valid range required when deny known clients checked = Valid range required when "Deny known clients:" is checked
 WARNING: untranslated string: disable = Disable
 WARNING: untranslated string: disconnected = Disconnected
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 43c1f8c08..76fd6b350 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -895,6 +895,8 @@ WARNING: untranslated string: dhcp dns key name = Key Name
 WARNING: untranslated string: dhcp dns update = DNS Update
 WARNING: untranslated string: dhcp dns update algo = Algorithm
 WARNING: untranslated string: dhcp dns update secret = Secret
+WARNING: untranslated string: dhcp dynamic range overlap = Dynamic range overlapped with 
+WARNING: untranslated string: dhcp fixed ip address =  Fixed IP Address(es)
 WARNING: untranslated string: dhcp valid range required when deny known clients checked = Valid range required when "Deny known clients:" is checked
 WARNING: untranslated string: disable = Disable
 WARNING: untranslated string: disconnected = Disconnected
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index 439a58890..bd78a5a4e 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -896,6 +896,8 @@ WARNING: untranslated string: dangerous = Dangerous
 WARNING: untranslated string: default IP address = Default IP Address
 WARNING: untranslated string: desired = Desired
 WARNING: untranslated string: dhcp deny known clients: = Deny known clients:
+WARNING: untranslated string: dhcp dynamic range overlap = Dynamic range overlapped with 
+WARNING: untranslated string: dhcp fixed ip address =  Fixed IP Address(es)
 WARNING: untranslated string: dhcp valid range required when deny known clients checked = Valid range required when "Deny known clients:" is checked
 WARNING: untranslated string: disable = Disable
 WARNING: untranslated string: disconnected = Disconnected
diff --git a/doc/language_missings b/doc/language_missings
index 0d89426ca..3d6c5103d 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -28,6 +28,9 @@
 < could not connect to www ipfire org
 < cryptographic settings
 < desired
+< dhcp dynamic range overlap
+< dhcp fixed ip address
+< dhcp fixed ip address in dynamic range
 < dhcp server disabled on blue interface
 < dhcp server enabled on blue interface
 < dh name is invalid
@@ -230,6 +233,9 @@
 < dhcp dns update
 < dhcp dns update algo
 < dhcp dns update secret
+< dhcp dynamic range overlap
+< dhcp fixed ip address
+< dhcp fixed ip address in dynamic range
 < dhcp valid range required when deny known clients checked
 < dh key move failed
 < dh key warn
@@ -969,6 +975,9 @@
 < bewan adsl pci st
 < bewan adsl usb
 < dhcp deny known clients:
+< dhcp dynamic range overlap
+< dhcp fixed ip address
+< dhcp fixed ip address in dynamic range
 < dhcp valid range required when deny known clients checked
 < g.dtm
 < g.lite
@@ -1071,6 +1080,9 @@
 < dhcp dns update
 < dhcp dns update algo
 < dhcp dns update secret
+< dhcp dynamic range overlap
+< dhcp fixed ip address
+< dhcp fixed ip address in dynamic range
 < dhcp valid range required when deny known clients checked
 < disable
 < Disabled
@@ -1460,6 +1472,9 @@
 < dhcp dns update
 < dhcp dns update algo
 < dhcp dns update secret
+< dhcp dynamic range overlap
+< dhcp fixed ip address
+< dhcp fixed ip address in dynamic range
 < dh key move failed
 < dh key warn
 < dh key warn1
@@ -1965,6 +1980,9 @@
 < dhcp dns update
 < dhcp dns update algo
 < dhcp dns update secret
+< dhcp dynamic range overlap
+< dhcp fixed ip address
+< dhcp fixed ip address in dynamic range
 < dhcp valid range required when deny known clients checked
 < dh key move failed
 < dh key warn
@@ -2848,6 +2866,9 @@
 < dhcp dns update
 < dhcp dns update algo
 < dhcp dns update secret
+< dhcp dynamic range overlap
+< dhcp fixed ip address
+< dhcp fixed ip address in dynamic range
 < dhcp valid range required when deny known clients checked
 < dh key move failed
 < dh key warn
@@ -3595,6 +3616,9 @@
 < default IP address
 < desired
 < dhcp deny known clients:
+< dhcp dynamic range overlap
+< dhcp fixed ip address
+< dhcp fixed ip address in dynamic range
 < dhcp valid range required when deny known clients checked
 < disable
 < Disabled
diff --git a/html/cgi-bin/dhcp.cgi b/html/cgi-bin/dhcp.cgi
index 867614f2a..82ea754c7 100644
--- a/html/cgi-bin/dhcp.cgi
+++ b/html/cgi-bin/dhcp.cgi
@@ -130,6 +130,7 @@ open(FILE, "$filename2") or die 'Unable to open fixed leases file.';
 our @current2 = <FILE>;
 close(FILE);
 
+
 # Check Settings1 first because they are needed by &buildconf
 if ($dhcpsettings{'ACTION'} eq $Lang::tr{'save'}) {
     foreach my $itf (@ITFs) {
@@ -183,6 +184,24 @@ if ($dhcpsettings{'ACTION'} eq $Lang::tr{'save'}) {
 		}
 	    }
 
+	    # Check if dynamic range and Fixed IP Addresses overlap
+	    if ((!$dhcpsettings{"START_ADDR_${itf}"}) eq '' && (!$dhcpsettings{"END_ADDR_${itf}"}) eq '') {
+		my $count=0;
+		foreach my $line (@current2) {
+			chomp($line);
+			my @temp = split(/\,/,$line);
+			if (&General::ip_address_in_ip_range($temp[1],
+							     $dhcpsettings{"START_ADDR_${itf}"},
+							     $dhcpsettings{"END_ADDR_${itf}"})) {
+				$count++;
+			}
+		}
+		if ($count > 0) {
+			$errormessage = "DHCP on ${itf}: " . $Lang::tr{'dhcp dynamic range overlap'} . $count . $Lang::tr{'dhcp fixed ip address'};
+			goto ERROR;
+		}
+	    }
+
 	    if (!($dhcpsettings{"DEFAULT_LEASE_TIME_${itf}"} =~ /^\d+$/)) {
 		$errormessage = "DHCP on ${itf}: " . $Lang::tr{'invalid default lease time'} . $dhcpsettings{'DEFAULT_LEASE_TIME_${itf}'};
 		goto ERROR;
@@ -415,10 +434,34 @@ if ($dhcpsettings{'ACTION'} eq $Lang::tr{'toggle enable disable'}.'2') {
 if ($dhcpsettings{'ACTION'} eq $Lang::tr{'add'}.'2') {
     $dhcpsettings{'FIX_MAC'} =~ tr/-/:/;
     unless(&General::validip($dhcpsettings{'FIX_ADDR'})) { $errormessage = $Lang::tr{'invalid fixed ip address'}; }
+# Check if fixed address is in the dynamic range, if defined
+    foreach my $itf (@ITFs) {
+	if ($dhcpsettings{"ENABLE_${itf}"} eq 'on' ) {
+		if ($dhcpsettings{"START_ADDR_${itf}"}) {
+    			if (&General::ip_address_in_ip_range($dhcpsettings{'FIX_ADDR'},
+							     $dhcpsettings{"START_ADDR_${itf}"},
+							     $dhcpsettings{"END_ADDR_${itf}"})) {
+				$errormessage = $Lang::tr{"dhcp fixed ip address in dynamic range"}; 
+			}
+		}
+	}
+    }
     unless(&General::validmac($dhcpsettings{'FIX_MAC'})) { $errormessage = $Lang::tr{'invalid fixed mac address'}; }
     if ($dhcpsettings{'FIX_NEXTADDR'}) {
         unless(&General::validip($dhcpsettings{'FIX_NEXTADDR'})) { $errormessage = $Lang::tr{'invalid fixed ip address'}; }
     }
+# Check if fixed next address is in the dynamic range, if defined
+    foreach my $itf (@ITFs) {
+	if ($dhcpsettings{"ENABLE_${itf}"} eq 'on' ) {
+		if ($dhcpsettings{"START_ADDR_${itf}"}) {
+    			if (&General::ip_address_in_ip_range($dhcpsettings{'FIX_NEXTADDR'},
+							     $dhcpsettings{"START_ADDR_${itf}"},
+							     $dhcpsettings{"END_ADDR_${itf}"})) {
+				$errormessage = $Lang::tr{"dhcp fixed ip address in dynamic range"}; 
+			}
+		}
+	}
+    }
 	
     my $key = 0;
     CHECK:foreach my $line (@current2) {
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 95a1cfda4..0dbdf7bd5 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -806,6 +806,9 @@
 'dhcp dns update' => 'DNS Update',
 'dhcp dns update algo' => 'Algorithm',
 'dhcp dns update secret' => 'Secret',
+'dhcp dynamic range overlap' => 'Dynamic range overlapped with ',
+'dhcp fixed ip address' => ' Fixed IP Address(es)',
+'dhcp fixed ip address in dynamic range' => 'Fixed IP Address in dynamic range is not allowed',
 'dhcp fixed lease err1' => 'For a fix lease you have to enter the MAC address or the hostname, or you enter both.',
 'dhcp fixed lease help1' => 'IP Addresses might be entered as FQDN',
 'dhcp mode' => 'DHCP',